Javascript attack can monitor keystrokes via CPU cache
Researchers at Cornell University have developed an attack method that can read the L3 cache of Intel processors using javascript. As a result, keyboard strokes and mouse clicks can be read out.
In order to carry out the attack, titled ‘The Spy in the Sandbox’, it is not necessary to install any other software on a target’s machine. The victim only needs to visit a web page that contains specially crafted content from the attacker. The method also works within virtual machines, the research paper shows. The exploit code will not be released until browsers are patched.
This is a so-called side channel attack. A side channel attack is an attack that exploits the implementation of cryptographic systems, rather than the cryptographic algorithms themselves. The research itself is highly academic, The Register writes, but the site does give an example that on a Mac with an Intel Core i7 and OS X 10.10.2, using Firefox 35.0.1, it was possible to achieve half the results in under a minute. L3 cache mapping.
The moment a user arrives at a site with content that the hacker controls, for example using a rogue ad, javascript code can be run that can view and save the keyboard and mouse inputs. Both actions happen within the cache of an Intel CPU. The L3 cache, also known as last-level cache, is shared by all cores. The method does not work with AMD processors because the cache memory is approached differently there.
When malicious javascript is running, the code loads the cache and thus knows the state of the cache. Then the code waits for a user to do something, such as hitting a key. The code then uses the browser’s timers to store how much time it takes to go through a block of memory. If access is faster than other actions, it is still cached. This information can be used to map out the pattern with which the memory is addressed by, for example, keystrokes or mouse movements. That pattern can be played again.
The researchers tell TechWorm that the exploit cannot directly steal passwords or data, but can store the data input from the mouse and keyboard. A potential hacker can clone the keystrokes and then relate visited sites via browsing history to those attacks. According to the researchers, this is the first side channel attack that can be performed from the browser.